After a two-year transition period, becomes enforceable on 25 May 2018
Enforcement date: 25 May 2018 – after the date, organizations in non-compliance may face heavy fines.
If you process data about individuals in the context of selling goods or providing services to residences in EU countries, you are required to comply with GDPR. Non-compliance organizations are subject to be fined up to 4% of annual global turnover, or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the principles of GDPR.
GDPR not only applies to organisations located within the EU but it will also impact organisations outside of the EU if they offer goods or services to, or monitor the behaviors of, EU data subjects. It applies to all companies processing personal data of data subjects residing in the European Union, regardless where are the companies.
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
A regulation is a binding legislative act. It must be applied in its entirety across the EU, while a directive is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to decide how. It is important to note that the GDPR is a regulation, in contrast the the previous legislation, which is a directive.
Compliance to GDPR is a bottom up management. The first thing is about your awareness and readiness in all level of staff who will process the personal data your organization processes. Follow the principles raised by GDPR that constitutes the core requirements of GDPR, while establishes relevant procedures of processing to meet the requirements of all clauses in processing data. Understand your data processing activities by inventory all the data and the processes, and find out all the data collected directly or indirectly are relevant to your specific purposes of processing and compliant to the legal basis of GDPR. Do all required activities, including to provide information to data subjects about your legal basis and how will you keep, use or transfer their data, to provide the channel or interface that data subjects can exercise their subject rights and to comply with all the requirements about using a data processor or transmission data to 3rd countries. If you keep the data in your organization, appropriate safeguards and protection by default should be met. In order to keep the compliance to GDPR, a DPO and privacy protection organization are recommended to be in place, Risk assessments, and compliance checking will help to find out necessary steps to meet all the requirements of GDPR.